Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center.

Published byNora Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center."— Presentation transcript:

1 A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center University of Science and Technology of China Hefei, Anhui, China 2 Department of Computer Science and Software Engineering Concordia University Montreal, Quebec, Canada

2 2009/12/19Conseg 09 Fuzzing for Software Vulnerability2 Contents 2 1.Introduction and Motivation 2.FTSG Model 3.Related Techniques Static analysis Dynamic binary instrument and dynamic trace I/O analysis 4.GAMutator 5.Prototype System: DXFuzzing 6.Validation 7.Experiments 8.Conclusion

3 2009/12/19Conseg 09 Fuzzing for Software Vulnerability3 1 Introduction and Motivation 1 Introduction and Motivation C code of a vulnerable procedure 3 int process_chunck(char* head_str, char* data_str, char* program checksum){ char buf[60]; char buf1[32]; char buf2[32]; memset(buf, 0, 60); if ( true == strong_check(head_str,data_str,program checksum)){ if ( strlen(head_str) > 32 || strlen(data_str) >32) return -1; strcpy(buf1, head_str); strcpy(buf2, data_str); strcat(buf, head_str); strcat(buf, data_str);//error return 1; } else return -1; } knowledge-based fuzzing could pass it easily one-dimension m&g strategy can’t overflow if length(head_str) = 16 and length(data_str) = 20

4 2009/12/19Conseg 09 Fuzzing for Software Vulnerability4 2 FTSG Model 4 FTSG: Fuzzing Test Suites Generation FTSG = ( s, L, N, C, F,OP,Result), OP = {M, Slv}, Result = {sampletree, mediumtree, newtree, testcase, testsuite}.

5 2009/12/19Conseg 09 Fuzzing for Software Vulnerability5 2 FTSG: Procedure for generating test cases 2 FTSG: Procedure for generating test cases by Mutation Operators and Slv 5 M = {m 1, …, m i, …, m k, GAMutator} F = {f 1,f 2, …, f e, …,f v } for (each m i in M except GAMutator) { while (!(mediumtree = m i (sampletree)) ) { newtree=Slv(mediumtree, C) } for (each f e in F) { while (!(mediumtree = GAMutator (sampletree, f e )) ) { newtree=Slv(mediumtree, C) }

6 2009/12/19Conseg 09 Fuzzing for Software Vulnerability6 2 FTSG: Total number of test cases 6

7 2009/12/19Conseg 09 Fuzzing for Software Vulnerability7 3 Related Techniques: 3 Related Techniques: Static analysis , dynamic binary instrument and dynamic trace 7 TechniqueUsageTool Static analysis identify insecure functions IDA PRO Dynamic binary instrument get insecure functions’ dynamic input arguments values to calculate fitness value Pin Dynamic trace monitor buffer coverage Pydbg

8 2009/12/19Conseg 09 Fuzzing for Software Vulnerability8 3 Related Techniques: 3 Related Techniques: I/O analysis 8 MethodInstrument Target Characteristic static analysissource codefalse alarm execution- oriented analysis binary codesimple and precise

9 2009/12/19Conseg 09 Fuzzing for Software Vulnerability9 3 Related Techniques: 3 Related Techniques: I/O analysis: execution-oriented analysis 9 INPUTOUTPUTVALUE of O k t 1 = (a 1,a 2,…,a s,…,a n )O = {o 1,o 2, …, o k, … o n }V1V1 t 2 = (a 1,a 2,…,a s,…,a n )O = {o 1,o 2, …, o k, … o n }V2V2 t 3 = (a 1,a 2,…,a s’,…,a n )O = {o 1,o 2, …, o k, … o n }V3V3 x s influences output o k if and only if V 1 =V 2 ≠V 3 where a i ∈ D(x i ), a s’ ∈ D(x i ), a s ≠a s’

10 GAMutator  GAMutator mutates relative l or n in sampletree to trigger suspend vulnerability in f e.  l or n are the inputs that influence some arguments of f e. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability10

11 Cont.  Special Characteristics of GAMutator:  A multi-dimension mutation operator.  A demand-oriented operator.  The number of test cases that GAMutator generates is not fixed.  Communicates with outside system.  The genetic algorithm here is used to generate test cases to trigger vulnerability in unsafe functions  The number of test cases generated by GAMutator is O(h). 2009/12/19Conseg 09 Fuzzing for Software Vulnerability11

12 2009/12/19Conseg 09 Fuzzing for Software Vulnerability12 4 GAMutator: 4 GAMutator: Heuristics and fitness function 12 Heuristics are used to generate test cases more likely to trigger vulnerability in f e in F. TWO EXAMPLES: 1 strcpy( dst, src) 2 malloc(a)

13 5 Prototype System: DXFuzzing 1) Locate insecure functions positions in target binary code by Program Analyzer. Record their information into database; 2) Analyze corresponding network protocols or file format in target application according to related knowledge, choose a sample file s and write a primitive xml test script manually which contains a sampletree; 3) Scheduling Engine calls XFuzzing to fuzz target application with m i and records runtime information with Program Analyzer when it is necessary. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability13

14 2009/12/19Conseg 09 Fuzzing for Software Vulnerability14 Cont. 4) Data Mapper constructs relationships between X and F based on collected runtime information. 5) Scheduling Engine calls XFuzzing to fuzz target application with GAMutator. 14

15 2009/12/19Conseg 09 Fuzzing for Software Vulnerability15 6 Validation 1) Based on application-specific knowledge, DXFuzzing could generate test cases which easily pass strong program checks and validations in the program. 2) The problem of finding new combinations to trigger possible vulnerability in f e in F is especially suitable for genetic algorithm to solve. 15

16 Cont. 3) GAMutator does not only care about the relationships between l i and f e, but also cares about n j and f e. Because some f e in F is influenced by the n j, however, the n j is neglected in general. 4) Different from combinatorial test in black-box testing, the combination of l i or n j in DXFuzzing is decided by the I/O analysis; the values of l i or n j in some combination are refined by every generation. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability16

17 Cont.  Execution-oriented I/O analysis in DXFuzzing is preferred here. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability17

18 2009/12/19Conseg 09 Fuzzing for Software Vulnerability18 7 Experiments 18 LibPng library as the target application Some data are as follows: Function nameusePng.exeLibPng.dll v1.0.6 strcpy16 memcpy077 sprintf016 malloc18113 Table I insecure functions in target application IDINPUT ELEMENTS 101PngFile..IHDA_CHUNK_DATA.BitDepth 102PngFile..IHDA_CHUNK_DATA.ColorType 109PngFile..IHDA_CHUNK_DATA.Height 111PngFile..IHDA_CHUNK_DATA.Width Table II Input nodes

19 2009/12/19Conseg 09 Fuzzing for Software Vulnerability19 Cont. ID INSECURE FUNCTIONS 72pngrutil.c(2939):png_ptr- >row_buf=(png_bytep)png_malloc(png_ptr,row_bytes) 73pngrutil.c(2945):png_ptr- >prev_row=(png_bytep)png_malloc(png_ptr, png_uint_32)( png_ptr->rowbytes + 1)) 89pngread.c(1301):info_ptr- >row_pointers=(png_bytepp)png_malloc(png_ptr,info_ptr- >height * sizeof(png_bytep)) Table III Insecure functions influenced by input nodes

20 2009/12/19Conseg 09 Fuzzing for Software Vulnerability20 Cont. Figure 4. Relationships between inputs and insecure functions by static analysis Figure 5. Relationships between inputs and outputs by dynamic execution simple and precise

21 2009/12/19Conseg 09 Fuzzing for Software Vulnerability21 Cont. wwidth111 dBitDepth101 zArgument value of png_malloc73 Initial Values: w = 0x20, d = 0x01 w ∈ [0,0xfffffff] , d ∈ [0,0xff].

22 Cont.  Further analyzing, we got d ∈ {1,2,4}.  w and d will generate 3×0x100000000 = 12884901888 combination test cases.  However, there are only 262148 of them that could trigger this vulnerability if we set B=100000  For this case png_malloc could successfully allocate memory.  So the possibility is 262148/12884901888 = 0.00002. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability22

23 2009/12/19Conseg 09 Fuzzing for Software Vulnerability23 Cont. Width, BitDepth distribution when they trigger this vulnerability

24 2009/12/19Conseg 09 Fuzzing for Software Vulnerability24 Cont. ToolsNumber of vulnerability checkedNumber of test cases Smart Fuzzer01000000 GAFuzzing01000000 Peach 2.3431026 DXFuzzing734222 Table IV Vulnerabilities Found by Different Fuzzing Tools

25 2009/12/19Conseg 09 Fuzzing for Software Vulnerability25 Conclusion  Whitebox fuzzing is complex, time costly and there are still some problems such as path explosion, and is hard to pass strong program checks fully automatically.  Peach is an outstanding knowledge-based fuzzing tool. 25

26 Conclusion  DXFuzzing enriches current mutation methodology with multi-dimension input nodes mutation strategy without combinatorial explosion. So DXFuzzing could find some vulnerabilities that never will been found by one- dimension mutation fuzzing. 2009/12/19Conseg 09 Fuzzing for Software Vulnerability26

27 2009/12/19Conseg 09 Fuzzing for Software Vulnerability27 9 For More Information 27 For More Questions and Comments: wuzhiyong0127@gmail.com bill@cse.concordia.ca zhuxy@ustc.edu.cn

Download ppt "A New Fuzzing Technique for Software Vulnerability Testing IEEE CONSEG 2009 Zhiyong Wu 1 J. William Atwood 2 Xueyong Zhu 3 1,3 Network Information Center."

Similar presentations

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.

1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.
Towards Self-Testing in Autonomic Computing Systems Tariq M. King, Djuradj Babich, Jonatan Alava, and Peter J. Clarke Software Testing Research Group Florida.

Towards Self-Testing in Autonomic Computing Systems Tariq M. King, Djuradj Babich, Jonatan Alava, and Peter J. Clarke Software Testing Research Group Florida.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University

The Intelligent Fuzzing in TTCN-3 Xu Luo, Wu Ji, Liu Chao Software Engineering Institute Beihang University
Nov 200291.3913 R McFadyen1 A Traditional Software Development Process Unit test Integration test System test Detailed design Architectural design Analysis.

Nov R McFadyen1 A Traditional Software Development Process Unit test Integration test System test Detailed design Architectural design Analysis.
TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.

TAintscope A Checksum-Aware Directed fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang1, Tao Wei1, Guofei Gu2, Wei Zou1 1Peking.
Fuzzing Dan Fleck CS 469: Security Engineering Sources:

Fuzzing Dan Fleck CS 469: Security Engineering Sources:
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
 Monday, 9/30/02, Slide #1 CS106 Introduction to CS1 Monday, 9/30/02  QUESTIONS (on HW02, etc.)??  Today: Libraries, program design  More on Functions!

 Monday, 9/30/02, Slide #1 CS106 Introduction to CS1 Monday, 9/30/02  QUESTIONS (on HW02, etc.)??  Today: Libraries, program design  More on Functions!
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,

EE694v-Verification-Lect5-1- Lecture 5 - Verification Tools Automation improves the efficiency and reliability of the verification process Some tools,
1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.

1 Loop-Extended Symbolic Execution on Binary Programs Pongsin Poosankam ‡* Prateek Saxena * Stephen McCamant * Dawn Song * ‡ Carnegie Mellon University.
Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.

Principle of Functional Verification Chapter 1~3 Presenter : Fu-Ching Yang.
High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.

High Level: Generic Test Process (from chapter 6 of your text and earlier lesson) Test Planning & Preparation Test Execution Goals met? Analysis & Follow-up.
Chapter 10: Architectural Design

Chapter 10: Architectural Design

Similar presentations

Ads by Google